My session was about Kubernetes and Container Security. At the end of the session, I promised to update our customers and partners with relevant roadmap announcements during 2019, and I am happy to deliver the first announcement today:

As part of this release, CloudGuard IaaS provides the following new features:

Secure the traffic between Kubernetes microservices and your on-premises or cloud assets (also known as “North-South traffic”) using IPsec VPN. For example: CloudGuard IaaS allows you to configure VPN between your cloud environment and on-premises, in order for your microservice to communicate securely with your on-premises database.

Dynamic policy that changes as the Kubernetes environment changes, including an access policy that is based on Kubernetes tags (labels, services, etc.).

Full HTTPS support: CloudGuard IaaS allows you to perform inspection of SSL/TLS traffic that flows to a microservice. It allows you to choose whether to inspect the traffic or to pass it and route it based on the Server Name Indication (SNI).

Virtual Patching: Containers are built using packages which may contain vulnerabilities. In case a vulnerability is discovered in a package, updating the affected containers may take a few weeks or even a few months in some cases. CloudGuard IaaS provides the ability to define virtual patching, which prevents exploiting this vulnerability until you deploy new containers with a non-vulnerable package.

Additionally, CloudGuard IaaS allows you to automate your Kubernetes security using common scripting languages such as Terraform and Ansible.

What are a few common use cases for the new Container security functionality?

Application Control and Anti-Bot

One of the potential attack vectors in Kubernetes environments is to exploit a container and use its compute resource to spawn a bitcoin-mining container which is fetched from an external, malicious container registry. (You can read about a similar hack of Tesla’s Kubernetes deployment here.) Using CloudGuard IaaS, you can restrict communication to trusted registries only. Additionally, you can enable Anti-Bot and thereby prevent the malicious bitcoin-mining container from receiving commands from the unauthorized command and control server.

Scale Out Events

When a new pod is added to the Kubernetes environment in a scale out event, CloudGuard IaaS understands that there is a new podIt then gets the assigned IP address and updates the CloudGuard security gateway with this data. If the pod’s labels match a defined policy, the security gateway does not require any manual policy installation; it starts inspecting the traffic automatically according to the defined policy.

Vulnerability

If a new vulnerability is discovered in NGINX for example, and your engineering team estimates it will take 5 days to ship a new container, CloudGuard allows you to enable a specific IPS signature that will prevent anyone from taking advantage and exploiting the containers which use this NGINX version. Once your team deploys the containers with a non-vulnerable version, you can remove this IPS signature in order to release CloudGuard IaaS resources and improve performance.

You’re encouraged to try this new functionality for yourself:

Get a free trial of CloudGuard IaaS in the Marketplaces of Azure (with a limited-time special offer by Microsoft and Check Point), AWS, GCP or Oracle.

And please watch the Check Point blog for more announcements about Container and Kubernetes security.